Fixed #16230 -- Correctly escape errors message passed to ErrorDict. …

…Thanks, Gregor Müllegger. git-svn-id: http://code.djangoproject.com/svn/django/trunk@16461 bcc190cf-cafb-0310-a4f2-bffc1f526a37
django · Jun 26, 2011 · b9eb94e · b9eb94e
1 parent b4bd6bb
commit b9eb94e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/django/forms/util.py b/django/forms/util.py
@@ -27,7 +27,7 @@ def __unicode__(self):
     def as_ul(self):
         if not self: return u''
         return mark_safe(u'<ul class="errorlist">%s</ul>'
-                % ''.join([u'<li>%s%s</li>' % (k, force_unicode(v))
+                % ''.join([u'<li>%s%s</li>' % (k, conditional_escape(force_unicode(v)))
                     for k, v in self.items()]))
 
     def as_text(self):

diff --git a/tests/regressiontests/forms/tests/util.py b/tests/regressiontests/forms/tests/util.py
@@ -55,3 +55,7 @@ def __unicode__(self): return u"A very bad error."
                          '<ul class="errorlist"><li>Example of link: &lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;</li></ul>')
         self.assertEqual(str(ErrorList([mark_safe(example)])),
                          '<ul class="errorlist"><li>Example of link: <a href="http://www.example.com/">example</a></li></ul>')
+        self.assertEqual(str(ErrorDict({'name': example})),
+                         '<ul class="errorlist"><li>nameExample of link: &lt;a href=&quot;http://www.example.com/&quot;&gt;example&lt;/a&gt;</li></ul>')
+        self.assertEqual(str(ErrorDict({'name': mark_safe(example)})),
+                         '<ul class="errorlist"><li>nameExample of link: <a href="http://www.example.com/">example</a></li></ul>')